'Stagefright 2.0' bug menaces over a billion Android devices

iTnews.com (AUS) ^ | Oct 2 2015 6:39AM (AUS) | Juha Saarinen

[Utilizer]

Researchers have discovered a second set of serious vulnerabilities in Google's Android mobile operating system, leaving over a billion new and old devices open to attack.

Dubbed Stagefright 2.0, the newly discovered vulnerabilities stem from two flaws in how Android handles audio and video files.

It was found by Joshua Drake of security vendor Zimperium, who also discovered the original Stagefright vulnerability affecting just under a billion Android devices in July this year.

The first Stagefright flaw in the Android media processing software library allowed attackers to send a specially crafted multimedia messaging service (MMS) missive which, when received in Google's Hangouts and Messenger apps, would allow attackers to run arbitrary code on victims devices without user interaction.

[Utilizer]

More worrisome news for anyone using an Android device.

[ClearCase_guy]

Stagefright 1.0 performed by The Band in the film “The Last Waltz”:

https://www.youtube.com/watch?v=ZIfKkV77lqM

[LoneStar42]

Putting my age on display - I was there when they taped it. I was stunned to see a DVD of it in a store labelled “Classics.”

[A CA Guy]

Great job Apple and Microsoft.

[Dalberg-Acton]

Shockwave/Flash is malware for any device.

[Swordmaker]

This ping is for all you Android device users who may also be Apple device users. . . StageFright is back in a new incarnation and can infect even more Android devices. Estimate is 1 billion are vulnerable. Be careful out there. . .

Ping to the Apple list, ThunderSleeps to ping the Android list, dayglored for the Windows list, and Shadow Ace for the Tech list. . .

Be careful so your Android device doesn't come down sick!

[ThunderSleeps]

Be careful out there! — ANDROID PING!
Android Ping! If you want on or off the Android Ping List, Freepmail me.

[Utilizer]

Shockwave/Flash is malware for any device.

Unfortunately, it is used on many websites so browsers have to have ways to deal with it, and most smartphones use it as well which makes this bug doubly troublesome.

[dayglored]

Android users beware - StageFright again ... PING!

You can find all the Windows Ping list threads with FR search: just search on keyword "windowspinglist".

This is for the Windows users who have Android devices -- you know who you are!

Thanks to Swordmaker for the ping!!

[Swordmaker]

The logo source file has moved or been deleted from its original location at http://ragzon.com/wp-content/uploads/2015/08/Android-logo-4.jpg

All one gets there is a 404.

You are going to have to find another Android robot logo. . .

[Swordmaker]

here you go:

http://www.ouyactu.com/media/2013/07/android.png

[kingu]

Oh, no, not really worrisome for Android users - good news, really. Potential bugs have been discovered because of the open source ecosystem of Android, those potential bugs will be addressed, and even more pressure put on handset makers and carriers to actually push out regular updates to the software.

Since Google has gone to a monthly update scheme for the Nexus line, they've set a new standard for the Android industry, one which will also pressure handset makers and carriers to follow along in the not so distant future.

Beyond, it shows the problem with carrier locked devices; users are kept from needed updates by this unnecessary restriction.

I expect that Dolphin will likely be one of the first browsers to use alternate libraries for mp3 & mp4 files, and an update to Google Chrome (and the dependent libraries) will be pushed out with the Marshmallow release.

It is to be noted that these are lab discovered vulnerabilities and no exploits of a 5 year old problem have ever been found in the wild, plus any Android device with 4.0 or higher uses randomized memory locations, so turning this exploit into something useful is rather doubtful to begin with.

[ThunderSleeps]

Got it, thanks. I’ll give it a try next ping!